How much should businesses invest in cyber resilience? 

Ramsac network monitoring cybersecurity

A common error that organisations can make, is to think of cyber resilience as a one-time financial spend instead of a financial investment for their future.  Rather than an ad hoc  or one off spend, we recommend that organisations consider cyber resilience as a moving target, one that is constantly evolving. Building long-term resilience requires sustained investment and you should consider a separate budget line which demonstrates your commitment to continued protection for your business. Which elements of cyber resilience you invest in year after year may grow and change based on your industry standards, the size of the organisation or breaches you experience. Cyber resilience measures you may choose to invest in could include:  

  • Training for your staff. 
  • Phishing testing and awareness 
  • Cyber monitoring and response services 
  • Penetration testing. 
  • Incident response planning 
  • Cyber Resilience Certification. 
  • Software tools such as malware protection, password management or threat detection 
  • Device and application management tools and services 
  • Tools and processes to manage software and hardware patching and updates 
  • Cyber audits/risk assessments 
  • Cyber insurance 

If, as a board, you are asking yourselves what percentage of revenue should go on a cybersecurity budget, unfortunately there is no single recommended percentage of turnover that should be spent on cyber resilience. However, here are some general guidelines to help you best assess this for your organisation: 

  • Understanding risks is important. Conducting a cyber resilience  assessment will help you to understand your organisation’s specific cybersecurity risks and needs. This will help determine the appropriate investment level. 
  • Cyber resilience spending will vary significantly depending on the size, industry, and risk profile of the organisation. Larger organisations with more data and higher risks often need to spend more. 
  • According to various estimates, most organisations spend between  0.5-1.5% of overall revenue on cyber resilience 
  • For smaller businesses, spending 10% of the total IT budget on cybersecurity is often recommended. 
  • Highly regulated industries like finance and healthcare tend to spend more, sometimes up to 20% of the total IT budget. 
  • Focus spending on high impact areas like awareness training, access controls, data security, incident response plans, and system redundancies. 

If you are looking to justify the spend it is well worth remembering the cost of the alternative.  A data breach can cost an organisation in many ways including loss of revenue, fines from the ICO and reputational damage.  In July 2023, IBM Security released its annual ‘Cost of a Data Breach Report’ which revealed that UK organisations pay an average of £3.4m for data breach incidents. 

In 2020, a data breach of broadband provider Virgin Media involving the personal data of 900,000 customers. Following the incident, Virgin Media reportedly faced a class-action lawsuit of nearly £4.5 billion. In March 2023 Capita suffered a cyber-attack which is currently estimated to be costing them £20 million. Investment in cyber resilience can save you money in the event of a cyber breach.  

Organisations who take cyber resilience seriously would benefit from investing in a cybersecurity monitoring service, which will meet a lot of their cyber resilience needs.  ramsac’s secure+ service can do just that.  secure+ is a ramsac managed service, run by our dedicated in-house Cybersecurity team that allows us to detect a breach the moment it happens and to take action to prevent damage from being done. Below are just some of the benefits of secure+: 

  • Each month you will get a comprehensive report of your secure+ service, where we call out significant events and recommendations to improve your security.  
  • We periodically run scans against your external facing infrastructure to look for vulnerabilities or gaps in your security.  
  • You will get priority status for emergency or critical patches that get announced.  
  • Every quarter we will run an audit of critical accounts, mailboxes and other services to check that privileges are as expected across your estate. 

 

If you are not sure where to start why not download our Cyber Resilience Whitepaper which outlines the 10 essential questions you should be asking about your Cyber resilience such as, ‘How well do you train your staff on IT security?’ And ‘How much control do you have over your devices?’. 

Related Posts

  • The importance of cybersecurity contingency planning for businesses

    The importance of cybersecurity contingency planning for businesses

    Cybersecurity

    Protect your data from cybercriminals and minimise downtime with an effective cybersecurity contingency plan. Read on. [...]

    Read article

  • How to Spot a Scam HMRC Letter 

    How to Spot a Scam HMRC Letter 

    Cybersecurity

    Learn how to spot fraudulent communications, like fake HMRC letters, and take steps to protect your personal information and finances from scammers. [...]

    Read article

  • What is Data Loss Prevention (DLP)?

    What is Data Loss Prevention (DLP)?

    CybersecurityTechnical Blog

    Explore how Data Loss Prevention (DLP) strategies and tools protect sensitive data, ensure regulatory compliance, and mitigate risks from insider threats, enabling organisations to stay secure and resilient in [...]

    Read article

  • AI-Driven Threat Detection and Response

    AI-Driven Threat Detection and Response

    AICybersecurityTechnical Blog

    This blog explores how AI-driven cybersecurity is transforming threat detection and response with real-time, adaptive defenses against evolving cyber threats. [...]

    Read article

  • Why you should invest in Cybersecurity Consultancy

    Why you should invest in Cybersecurity Consultancy

    Cybersecurity

    n an increasingly complex cyber threat landscape, investing in cybersecurity consultancy is essential to protect your business from potential risks and ensure long-term resilience. [...]

    Read article

  • Everything you need to know about the transition to ISO 27001:2022 

    Everything you need to know about the transition to ISO 27001:2022 

    Cybersecurity

    This blog explains the essential steps and timeline for transitioning from ISO 27001:2013 to ISO 27001:2022, ensuring your organisation maintains its certification before the October 2025 deadline. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?